Update Kerberos docs for phase 2.

docs/en_US/kerberos.rst

@@ -4,7 +4,12 @@
 `Enabling Kerberos Authentication`:index:
 *****************************************
 
-To configure Kerberos authentication, you must set your Kerberos Server and generate the *kinit* ticket on the client. To enable the Kerberos authentication for pgAdmin, you must configure the Kerberos settings in *config_local.py* or *config_system.py* (see the :ref:`config.py <config_py>` documentation) on the system where pgAdmin is installed in Server mode. You can copy these settings from *config.py* file and modify the values for the following parameters.
+To configure Kerberos authentication, you must setup your Kerberos Server and
+generate a ticket on the client using *kinit*. To enable Kerberos authentication
+for pgAdmin, you must configure the Kerberos settings in *config_local.py* or
+*config_system.py* (see the :ref:`config.py <config_py>` documentation) on the
+system where pgAdmin is installed in Server mode. You can copy these settings
+from *config.py* file and modify the values for the following parameters.
 
 .. csv-table::
    :header: "**Parameter**", "**Description**"
@@ -12,25 +17,42 @@ To configure Kerberos authentication, you must set your Kerberos Server and gene
    :widths: 35, 55
 
    "AUTHENTICATION_SOURCES","The default value for this parameter is *internal*.
-   To enable Kerberos authentication, you must include *kerberos* in the list of values for this parameter. you can modify the value as follows:
+   To enable Kerberos authentication, you must include *kerberos* in the
+   list of values for this parameter. you can modify the value as follows:
 
    * [‘kerberos’]: pgAdmin will use only Kerberos authentication.
 
-   * [‘kerberos’, ‘internal’]: pgAdmin will first try to authenticate the user through kerberos. If that authentication fails, then it will return back to the login dialog where you need to provide internal pgAdmin user credentials for authentication."
-   "KERBEROS_AUTO_CREATE_USER", "Specify value to *True* if you want to automatically create a pgAdmin user corresponding to the kerberos user credentials. Please note that password is not stored in the pgAdmin database."
-   "KRB_APP_HOST_NAME", "Specify the name of *pgAdmin webserver hostname*. Please note that if it is not set, it will take the value of *default_server* parameter."
+   * [‘kerberos’, ‘internal’]: pgAdmin will first try to authenticate the user
+     through kerberos. If that authentication fails, then it will return back
+     to the login dialog where you need to provide internal pgAdmin user
+     credentials for authentication."
+   "KERBEROS_AUTO_CREATE_USER", "Set the value to *True* if you want to
+   automatically create a pgAdmin user corresponding to a successfully
+   authenticated Kerberos user. Please note that password is not stored in the
+   pgAdmin database."
+   "KRB_APP_HOST_NAME", "Specify the name of *pgAdmin webserver hostname*.
+   Please note that if it is not set, it will take the value of
+   *default_server* parameter."
 
 Keytab file for HTTP Service
 ============================
 
-* Generate the *Keytab* file for the HTTP service principal and copy it to the *pgAdmin* webserver machine. Ensure that the operating system user owning the *pgAdmin* webserver is the owner of this file and should be accessible by that user.
+* Generate the *Keytab* file for the HTTP service principal and copy it to the
+  *pgAdmin* webserver machine. Ensure that the operating system user owning
+  the *pgAdmin* webserver is the owner of this file and should be accessible
+  by that user.
 
-* Please note that either you should set *default_keytab_name* parameter in *krb5.conf* file or the environment variable *KRB5_KTNAME*. If not set then explicitly set *KRB_KTNAME* to the location of your *Keytab* file in the *config_local.py* or *config_system.py* file.
+* Please note that either you should set *default_keytab_name* parameter in
+  *krb5.conf* file or the environment variable *KRB5_KTNAME*. If not set then
+  explicitly set *KRB_KTNAME* to the location of your *Keytab* file in the
+  *config_local.py* or *config_system.py* file.
 
 Apache HTTPD Configuration
 ==========================
 
-If the *pgAdmin* server is under the Apache Server, then you need to add the following parameters in *Directory* directive of :ref:`Apache HTTPD Configuration <server_deployment>`:
+If the *pgAdmin* server is under the Apache Server, then you need to add the
+following parameters in *Directory* directive of
+:ref:`Apache HTTPD Configuration <server_deployment>`:
 
    * WSGIScriptReloading On
 
@@ -40,30 +62,57 @@ If the *pgAdmin* server is under the Apache Server, then you need to add the fol
 Browser settings to configure Kerberos Authentication
 =====================================================
 
-You need to do the browser settings on the client machine to use the *Spnego/Kerberos*.
+You need to configure the browser settings on the client machine to use
+Kerberos authentication via *SPNEGO*.
 
 - For Mozilla Firefox
 
-  - Open the low level Firefox configuration page by loading the *about:config* page.
+  - Open the low level Firefox configuration page by entering *about:config* in
+    the address bar.
   - In the Search text box, enter: *network.negotiate-auth.trusted-uris*
-  - Double-click the *network.negotiate-auth.trusted-uris* preference and enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Separate multiple domains and hostnames with a comma.
+  - Double-click the *network.negotiate-auth.trusted-uris* preference and enter
+    the hostname or the domain of the web server that is protected by Kerberos
+    HTTP SPNEGO. Separate multiple domains and hostnames with a comma.
   - Click OK.
 
 - For Google Chrome
 
-  - For Windows:
+  - On Windows:
 
     * Open the Control Panel to access the Internet Options dialog.
     * Select the Security tab.
     * Select the Local Intranet zone and click the Sites button.
-    * Make sure that the first two options, Include all local (intranet) sites not listed in other zones and Include all sites that bypass the proxy server are checked.
-    * Click Advanced and add the names of the domains that are protected by Kerberos HTTP SPNEGO, one at a time, to the list of websites. For example, myhost.example.com. Click Close.
+    * Make sure that the first two options, *Include all local (intranet) sites
+      not listed in other zones* and *Include all sites that bypass the proxy
+      server* are checked.
+    * Click Advanced and add the names of the domains that are protected by
+      Kerberos HTTP SPNEGO, one at a time, to the list of websites. For example,
+      myhost.example.com. Click Close.
     * Click OK to save your configuration changes.
 
-  - For Linux or MacOS:
+  - On Linux or macOS:
 
-    * Add the *--auth-server-whitelist* parameter to the google-chrome command. For example, to run Chrome from a Linux prompt, run the google-chrome command as follows:
+    * Add the *--auth-server-whitelist* parameter to the google-chrome command.
+      For example, to run Chrome from a Linux prompt, run the google-chrome
+      command as follows:
 
     .. code-block:: text
 
        google-chrome --auth-server-whitelist = "hostname/domain"
+
+
+PostgreSQL Server settings to configure Kerberos Authentication
+===============================================================
+
+* To connect the PostgreSQL server with Kerberos authentication, GSSAPI support
+  has to be enabled when PostgreSQL is built and the necessary
+  `configuration <https://www.postgresql.org/docs/current/gssapi-auth.html>`_
+  has to be in place.
+
+* In pgAdmin you need to enable Kerberos authentication for the PostgreSQL
+  server by setting "Kerberos authentication" flag to True in the Server dialog.
+  Once it is enabled, pgAdmin will not prompt for a password and will try to
+  connect to the PostgreSQL server using Kerberos.
+
+* Note that, you have to login into pgAdmin with Kerberos authentication to
+  then connect to PostgreSQL using Kerberos.

docs/en_US/server_dialog.rst

@@ -31,15 +31,18 @@ Use the fields in the *General* tab to identify the server:
   connection to the server upon completion of the dialog; this is the default
 
 * If the *Shared?* switch is moved to *Yes* then that server can be
-  shared with all the other users. This option is available only to admin users. For more information on users see :ref:`User Management Dialog <user_management>`. The users can access the shared servers with some restritctions. The Users accessing the shared servers cannot do the following operations on the shared servers:
+  shared with all the other users. This option is available only to admin users.
+  For more information on users see :ref:`User Management Dialog <user_management>`.
+  Users can access the shared servers with some restrictions - the following
+  operations on shared servers are not permitted:
 
-    * Create a server
     * Delete the server
     * Rename the server
     * Rename the group server
     * Change of host, port, and maintenance database
 
-  Please note that once the server is shared, it's icon is changed in the browser tree.
+  Please note that once the server is shared, it's icon is changed in the
+  browser tree.
 
 * Provide a comment about the server in the *Comments* field.
 
@@ -62,6 +65,8 @@ Use the fields in the *Connection* tab to configure a connection:
   installed on that database.
 * Use the *Username* field to specify the name of a role that will be used when
   authenticating with the server.
+* When *Kerberos authentication?* is set to *True*, pgAdmin will try to connect
+  the PostgreSQL server using Kerberos authentication.
 * Use the *Password* field to provide a password that will be supplied when
   authenticating with the server.
 * Check the box next to *Save password?* to instruct pgAdmin to save the